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Jason  Gait 


This  publication  describes  the  design  of  four 
maintenance  tests  for  the  Federal  Information  Pro- 
cessing Data  Encryption  Standard  (DES)  .  The  tests 
consist  of  an  iterative  procedure  that  tests  the 
operation  of  DES  devices  by  using  a  small  program 
and  minimum  data.  The  tests  are  designed  to  be 
independent  of  implementation  and  to  be  fast 
enough  to  test  devices  during  actual  operation. 
The  tests  are  defined  as  four  specific  stopping 
points  in  a  general  testing  process  and  satisfy 
four  testing  requirements  of  increasing  degree  of 
completeness  depending  on  the  thoroughness  of 
testing  desired. 


Key  words:  Communications  security;  computer 
security;  cryptography;  data  encryption  standard; 
in-service  testing;  maintenance  tests;  Monte-Carlo 
testing;  stuck-fault  testing;  test  cases. 


1.   INTRODUCTION 


The  Federal  Information  Processing  Data  Encryption 
Standard  (DES)  is  the  standard  cryptographic  algorithm  for 
use  within  the  Federal  Government  for  protecting  non- 
classified transmission  and  storage  of  computer  data.  The 
DES  algorithm  is  normally  implemented  in  hardware  and  com- 
mercial DES  devices  are  presently  available  from  eight  dif- 
ferent sources.  The  National  Bureau  of  Standards  has  vali- 
dated the  designs  of  the  various  hardware  implementations 
with  a  validation  test,  i.  e.,  a  collection  of  input-key- 
output  triplets  which,  when  applied  as  a  test  to  a  device, 
and  if  successfully  executed,  insures  that  the  device  being 
tested  in  fact  correctly  executes  the  DES  algorithm.  A 
Monte-Carlo  test  using  random  data  is  also  a  part  of  this 
test  [8], 
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A  small  maintenance  test,  residing  in  read  only  memory 
and  executed  by  the  same  microprocessor  that  controls  the 
DES  device  provides  a  means  of  testing  the  operation  of  the 
DES  hardware  in  the  field.  Since  one  criterion  for  a  field 
test  is  that  it  be  economical,  the  tests  are  designed  so 
that  only  a  partial  test  may  be  needed  in  a  given  applica- 
tion. The  test  is  so  designed  that  a  full  functional  test 
can  be  executed  if  it  is  convenient  and  desirable  to  do  so. 

The  maintenance  test  provides  results  which  are  a  com- 
bination of  the  validation  test  and  of  the  Monte-Carlo  test 
described  in  [8].  The  maintenance  test  uses  an  initial 
fixed  input-key  pair  and  the  resulting  ciphertext  is  then 
fed  back  as  input  or  as  key,  as  in  the  Monte-Carlo  test,  and 
this  cycling  process  is  repeated.  By  simply  checking  the 
output  of  this  process  against  four  known  results  the  test 
determines  if  the  DES  algorithm  is  properly  functioning.  A 
maximum  of  192  cycles  has  been  determined  to  test  completely 
the  DES  device  but  three  earlier  check  points  are  defined 
which  result  in  specific  partial  tests.  In  all,  four  ca- 
tegories of  tests  have  been  defined.  They  range  from  a  sim- 
ple test  for  stuck-faults  of  the  64  output  bits  of  the  DES 
to  a  complete  functional  test. 


1.1   Validation  vs  Maintenance  Testing 

The  maintenance  tests  described  here  replicate  the 
functionality  of  both  the  validation  test  and  the  Monte- 
Carlo  test  procedure  used  to  validate  implementations  of  the 
DES  [8,9].  In  fact,  by  taking  advantage  of  the  pseudo- 
random nature  of  the  DES  output,  we  are  able  to  describe  a 
smaller,  more  efficient  test  procedure  that  is  equivalent  to 
the  test  previously  described  in  [8],  although  the  extensive 
Monte-Carlo  test  is  not  reproduced. 
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1.2  The  Maintenance  Tests 

The  maintenance  tests  depend  only  on  the  functionality 
of  the  algorithm  and  not  on  any  particular  implementation. 
The  tests  can  be  performed  with  a  short  program  whose  two 
inputs  consist  of  an  initial  plaintext  and  an  initial  key 
and  whose  output  is  a  final  ciphertext.  The  test  program 
creates  a  cycling  process  that  tests  the  complete  func- 
tionality of  the  DES  algorithm  as  well  as  testing  for 
stuck-at-one  and  stuck-at-zero  faults  at  the  various  input 
and  output  interfaces.  Stuck-at-one  or  stuck-at-zero  faults 
occur  due  to  a  circuit  failure,  e.  g.,  an  open  circuit.  The 
device  is  known  to  be  performing  correctly  if  the  observed 
final  ciphertext  matches  the  expected  result.  The  cycling 
process  consists  of  a  maximum  of  192  encipherments  and  deci- 
pherments intermixed  in  such  a  way  as  to  test  all  aspects  of 
the  algorithm.  The  execution  of  the  test  program  requires 
little  time  and  hence  the  test  can  be  used  on-line  to  exam- 
ine the  functionality  of  a  device  in-service  as  well  as  for 
other  testing  purposes. 

The  complete  test  is  determined  by  the  following  re- 
currence relation: 


Kx  =  5555555555555555 
P,  =  FFFFFFFFFFFFFFFF 


C.    =  E(K.,  P.) 
Ci  +  1  =  E(K.,  C  ) 

*i  +  3  "  ^i+2 
Pi+3  "  Ci 


where  K . ,  P.  and  C.  denote  key,  input  and  output  at  time  n, 
with  trie  value  of  i  determined  from  the  equation  i  = 
3(n-l)+l  for  n-1,2,3,...,  TESTLENGTH.  Here  the  symbol  E 
denotes  the  DES  encryption  operation  and  D  denotes  the  DES 
decryption  operation.  The  initial  values  of  key  and  plain- 
text, K.  and  P,,  are  64  bit  numbers  represented  in  hexade- 
cimal notation  with  correct  parity  for  each  8-bit  byte  of 
the  key. 

The  test  can  be  used  in  any  of  four  modes  depending  on 
the  degree  of  certainty  required  and  the  time  available  to 
perform  the  test.  In  each  of  the  four  modes  only  the  final 
ciphertext   differs,   initial   plaintext   and  key  remain  the 


-3- 


same. 


Test  1:  Tests  all  output  bits  for  stuck-at-one  and  stuck- 
at-zero  faults;  the  P  and  E  matrices  used  by  the  DES  algo- 
rithm are  also  tested. 


Test  2:  Includes  Test  1,  tests  the  S-boxes  and  includes  a 
test  for  stuck-faults  at  all  the  key  and  input  bits  except 
one  input  bit. 


Test  3:  Includes  Test  2,  a  complete   test   for   stuck-faults 
and  a  test  of  the  IP~   matrix. 


Test  4:   Tests  all  aspects  of  the  algorithm. 


The  following  table  provides  a  concise  display  of  the 
various  tests,  the  number  of  iterations  required  for  each 
test,  the  number  of  encryption  or  decryption  operations  per- 
formed during  each  test,  the  final  output  for  each  test  and 
the  specific  properties  of  the  DES  algorithm  that  are  tested 
during  each  test. 
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Table  1.  Properties  of  the  Four  Maintenance  Tests 


testl 


test2 


test3 


test4 


i  terations 


64 


enc/dec  ops      9 


18 


24 


192 


final  output     BF1FF37B 

C46CC2CA 


1DFCF1C8 
44E84A9B 


00B82CBB 
E58DBB9F 


246E9DB9 
C550381A 


props  tested    output  stuck    test  1  and 

faults,  P,  E    S-boxes 


test  2  and      complete 
input  stuck     test 
faults 
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1.3  The  Values  for  the  Parameters  of  the  Test 

The  efficacy  of  the  testing  procedure  depends  largely 
on  the  effectiveness  of  the  DES  as  a  pseudo-random  number 
generator  [5].  The  number  of  iterations  needed  to  satisfy 
each  test  requirement  could  not  be  determined  in  advance. 
However  an  upper-bound  value  for  TESTLENGTH  was  determined 
from  a  Markov  chain  model  of  the  full  testing  procedure.  The 
results  were  that  if  pseudo-random  input  vectors  are 
presented  to  a  linear  device  with  n  inputs,  then  the  expect- 
ed number  of  tests  required  to  test  completely  the  device 
for  sufficiently  large  n  is  approximately  n+2.  Since  n  is 
the  minimum  number  required,  the  distribution  has  a  very 
small  standard  deviation.  Hence  we  need  to  examine  at  most 
n+3  or  n+4  pseudo-random  input  vectors  to  be  sure  of  obtain- 
ing a  maximal  linearly  independent  set  (=basis)  of  appropri- 
ate dimension.  See  Appendix  C  for  the  details  of  the  calcu- 
lation. 


2.   DESCRIPTION  OF  THE  DES  ALGORITHM 


The  Federal  Information  Processing  Data  Encryption 
Standard  published  on  January  15,  1977  [3]  is  a  complex 
non-linesr  ciphering  algorithm  that  was  designed  for  effi- 
cient hardware  implementation.  Although  there  are  software 
implementations,  they  do  not  comply  with  the  standard  and 
are  generally  quite  inefficient  compared  to  hardware  ver- 
sions [6].  The  DES  algorithm  operates  on  64  bits  of  input 
to  produce  64  bits  of  output  under  the  action  of  a  56-bit 
keying  parameter.  With  the  exception  of  initial  and  final 
permutations,  the  algorithm  is  a  series  connection  of  six- 
teen rounds.  Each  round  uses  48  bits  of  the  key  in  a  se- 
quence determined  by  a  key  schedule.  With  the  exception  of 
this  difference  in  the  round  keys,  the  sixteen  rounds  are 
identical  to  one  another.  Each  round  receives  an  input  of 
64  bits;  the  32-bit  right  half  is  expanded  by  the  linear 
operator  E  to  48  bits  and  the  result  is  mod  2  added  to  the 
round  key;  the  48  bit  sum  is  divided  into  eight  6-bit 
blocks,  each  of  which  determines  a  4-bit  S-box  entry;  the 
resulting  32  bits  are  added  mod  2  to  the  left  half  and  the 
two  halves  are  interchanged',  thus  producing  64  bits  of  out- 
put for  the  round.  Sixteen  rounds  connected  in  series,  each 
using  a  different  round  key  as  determined  by  the  key 
schedule,  together  with  initial  and  final  permutations  make 
up  the  DES  algorithm.  Despite  its  complexity  the  DES  is  ca- 
pable of  operating  at  high  speed  when  implemented  in 
hardware.   For   example,   an  encryption  or  decryption  of  one 
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64-bit  block  on  the  NBS  DES  unit  takes  9  microseconds.  Ap- 
pendix A  contains  a  complete  functional  description  of  the 
DES  algorithm  parameters,  i.  e.,  permutations,  S-boxes  and 
key  schedule. 


2.1   The  Permutations  and  E  Operator 

The  role  of  the  permutation  P  is  to  mix  thoroughly  the 
data  bits.  The  operator  E  expands  its  32  bit  input  to . a  40 
bit  output  that  is  added  mod  2  to  the  round  key.  The  permu- 
tations in  the  key-schedule,  PCI  and  PC2,  intermix  the  key 
bits  among  the  round  keys  in  such  a  way  as  to  equalize  key- 
bit  utilization.  No  key  bit  is  used  more  than  15  times  nor 
less  than  12  times.  The  initial  and  final  permutations,  IP 
and  IP  ,  are  byte  oriented  for  efficient  hardware  implemen- 
tation. 

Each  permutation  is  a  linear  operator,  and  so  can  be 
thought  of  as  an  n  x  m  matrix  and  can  be  validated  complete- 
ly if  it  operates  correctly  on  an  appropriate  maximal 
linearly  independent  set  of  input  vectors,  i.  e.,  a  suitable 
basis. 


2.2   The  S-boxes 


The  non-1 
stitute   an  im 
the  S-boxes  is 
[1,2] .  Each  of 
ized  as  a  4x16 
number,   repre 
connection  of 
in   a   single 
select  a  row  a 
correspond  ing 
Each  row  in  ea 
so  no  entry  is 


inear  subs 

portant  pa 

to  ensure 

the  eight 

matrix.  E 

sented   as 

eight  S-bo 

S-box   is 

nd  four  se 

row   and 

ch  S-box  i 

repeated 


titution  tabl 

rt  of  the  alg 

that  the  alg 

S-boxes  cont 

ach   entry   i 

0-15,  so  the 

xes  is  32  bit 

selected  by 

lect  a  column 

column  is  the 

s  a  permutati 

in  any  one  ro 


es,  or   S 
or ithm. 
orithm   i 
ains  64  e 
s   a   fou 

output  o 
s .   A  par 

six  bits 
.   The 

output  f 
on  of  the 
w. 


-boxes 
The  pu 
s   not 
ntr ies 
r   bit 
f  the 
ticula 
,  two 
entry 
or  tha 
numbe 


,    con- 
rpose  of 
1 inear 
,  organ- 
binary 
parallel 
r   entry 
of  which 
in   the 
t  input, 
rs  0-15, 


-7- 


2.3   The  Key  Schedule 
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2.4   Maintaining  the  Correctness  of  DES  Devices 

The  test  program  verifies  the  correct  operation  of  an 
implementation  by  performing  one  of  several  optional  series 
of  tests  on  the  device  during  operation.  The  pseudo-random 
tests  have  been  examined  to  be  sure  that  a  basis  of  vectors 
is  presented  to  each  of  the  matrix  operators  in  the  algo- 
rithm, thus  verifying  their  correct  implementation  as  linear 
operators,  and  to  exercise  every  element  in  each  S-box. 


2.4.1  DES  Tests.  The  tests  are  designed  to  assure  the 
correctness  of  each  of  the  following  components  of  the  algo- 
rithm (see  Appendix  A): 


1.  Initial  permutation, 

2.  Inverse  permutation, 

3.  Expansion  matrix,  E 

4.  Data  Permutation,  P 

5.  Key  Permutation,  PCI 

6.  Key  Permutation,  PC2 

7.  Substitution  tables: 

8.  Mod  2  adders 


IP 
IP 
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In  addition  the  tests  protect  against  the  possibility  of 
stuck-faults  at  the  interfaces  between  any  of  the  above  ele- 
ments as  well  as  at  the  input,  key  and  output  of  the  DES  it- 
self . 
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2.4.2  Relations 
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3.   TESTING  PHILOSOPHY 
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3.1   Stuck-faults  in  Cipher  Feedback  Mode 

One  of  the  modes  of  operation  of  the  DES  is  cipher 
feedback,  where  the  output  of  the  DES  is  added  mod  2  to  the 
plaintext  to  produce  ciphertext.  If  the  output  of  the  DES  is 
subject  to  stuck-faults,  either  at  one  or  at  zero,  then  some 
part  of  the  plaintext,  or  its  complement,  is  being  transmit- 
ted in  the  clear.  It  is  therefore  desirable  that  the  device 
be  tested  for  stuck-faults,  preferably  during  all  encipher- 
ment  operations,  while  being  used  in  cipher  feedback  mode. 
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3.2  Generating  the  Pseudo-random  Tests 

Since  the  DES  is  known  to  be  a  good  pseudo-random 
number  generator  [5],  the  maintenance  test  was  designed  to 
use  the  output  of  the  DES  fed  back  as  data  or  as  key-text 
alternatively.  Both  encryption  and  decryption  operations  are 
used  in  order  to  exercise  all  parts  of  the  algorithm.  When 
all  the  cycles  of  each  test  have  been  completed,  the  final 
output  is  compared  with  a  single  stored  value.  If  the  two 
values  are  the  same,  then  the  device  has  passed  the  test, 
otherwise  the  device  should  be  rendered  inoperable. 


The  following  program  is  used  to  do  this: 


key  =  5555555555555555 
input  =  FFFFFFFFFFFFFFFF 
for(n=l;  n<TESTLENGTH;  n=n+l){ 

crypt('e',  key,  output,  input) 

input  =  output 

crypt(lel,  key,  output,  input) 

key  =  output 

crypt('d',  key,  output,  input) 

key  =  output 
} 

if (output==LASTCIPHER)OK 
else  NG 


The  64  bit  starting  values  for  key  and  input  are 
represented  in  hexadecimal  notation.  The  value  of 
TESTLENGTH,  either  3,  6,  8  or  54,  is  user  supplied  and  is 
determined  according  to  the  degree  of  completeness  of  test- 
ing desired.  The  value  of  LA5TCIPHER  is  as  listed  in  Table  1 
for  the  appropriate  number  of  iterations.  The  values  of 
TESTLENGTH  and  LASTCtPHER  are  set  according  to  which  test  is 
desired . 


The  following  list  specifies  the  values   of   TESTLENGTH 
and  LASTCIPHER  for  each  of  the  four  testing  modes  described. 
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Test  1  Parameters:  TESTLENGTH  =  3 

LASTCIPHER  =  BFlFF37BC46CC2C>>i 


Test  2  Parameters:  TESTLENGTH  =  6 

LASTCIPHER  =  1DFCF1C844E84A9B 


Test  3  Parameters:  TESTLENGTH  =  8 

LASTCIPHER  =  00B82CBBE58DBB9F 


Test  4  Parameters:  TESTLENGTH  =  64 

LASTCIPHER  =  246E9D89C550381A 


3.3   Description  of  Tests 

Test  1  uses  three  cycles  of  the  program,  corresponding 
to  nine  encryptions  or  decryptions.  Test  1  is  useful  as  a 
maintenance  test  for  the  DES  when  used  in  cipher  feedback 
mode  to  ensure  that  no  stuck-faults  in  the  output  will  ex- 
pose plaintext.  It  is  a  short  test  and  can  be  practically 
executed  on-line  between  transmissions.  Note  that  for  this 
test  each  bit  of  the  output  is  both  zero  and  one  at  least 
once. 
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all  inputs  for  stuck-faults  (plain- 
ne   throughout   this   part   of   the 

actually  five  more  operations,  are 
bit  54,  and  carry  out  test  3.  Test 
ts  at  the  input  and  output  of  every 

IP,  P,  E,  IP"1,  PCI,  PC2,  the  S- 
the  key-schedule  and  the  inputs  and 
rs. 


Test  4  is  a  complete  test  of  the  functionality  of  the 
algorithm.  The  verification  of  both  tests  2  and  4  requires 
examination  of  the  inputs  to  each  of  the  linear  elements  of 
the  algorithm  to  ensure  that  a  basis,  i.  e.,  a  maximal 
linearly  independent  set  of  vectors  of  appropriate  dimen- 
sion, is  presented  to  each,  thus  ensuring  that  all  matrix 
entries   are   fully  exercised.   The   DES   validation   test 
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presents  standard  unit  basis  vectors  to  these  linear  ele- 
ments, while  the  maintenance  test  presents  random  inputs. 
Thus  the  inputs  have  been  checked,  not  for  the  standard  unit 
basis,  for  which  we  would  have  to  wait  a  long  time,  but  for 
any  basis  of  the  proper  dimension.  This  is  equivalent  to  the 
standard  unit  basis  in  terms  of  testing  linear  elements.  A 
variant  of  the  Gram-Schmidt  orthogonal ization  process  was 
used  to  do  this,  as  described  in  Appendix  B.  The  applica- 
tion of  this  process  shows  that  the  first  32  vectors  applied 
to  P  are  linearly  independent,  thus  testing  P  completely; 
this  corresponds  to  just  two  encipherments,  since  P  is  used 
16  times  during  each  encryption  or  decryption  operation,  or 
one  cycle  of  the  program.  Similarly,  the  first  34  vectors 
applied  to  E  contain  a  maximal  linearly  independent  set  (the 
17th  and  33rd  vectors  are  dependent  on  the  others);  again 
the  first  cycle  of  the  program  suffices  to  test  E.  Hence 
test  set  1  for  stuck-faults  tests  P  and  E  as  well. 

The  first  66  encipherments,  corresponding  to  22  cycles 
of  the  program,  test  completely  IP~  ;  the  first  87  encipher- 
ments, corresponding  to  29  program  cycles,  test  the  entire 
key  schedule  for  both  encipherment  and  decipherment;  and  64 
complete  cycles  are  required  to  test  IP.  It  is  this  re- 
quirement of  testing  the  initial  permutation  that  fixes  the 
value  of  TESTLENGTH  for  test  4  at  64,  or  192  encipherments 
or  decipherments. 


4.   SUMMARY  AND  CONCLUSIONS 


A  variety  of  maintenance  tests  for  DES  devices  in  the 
field  have  been  described,  ranging  from  testing  for  stuck- 
faults  in  the  output  to  a  full  test  of  the  DES  device.  The 
tests  are  simple  and  efficient  and  can  be  executed  from  a 
small  ROM  program  on-board  with  the  DES.  Recommended  testing 
environments  include: 


1.  manufacturer's  assembly-line  checkout  for  DES  devices, 

2.  user  acceptance  test   for   newly   acquired   and   recently 
repaired  devices, 

3.  field-maintenance  service  testing,  and 
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4.  in-service  testing  of    DES  devices  to  maintain 
tegrity  of  the  encryption  system. 


the 


m- 


Users  of  DES  devices  can  choose  one  of  the  four  tests 
described,  depending  on  their  evaluation  of  which  test  is 
most  convenient  and  meaningful  in  the  given  operational  en- 
vironment. However  test  4,  the  complete  functionality  test, 
encompasses  all  the  other  tests  and  is  hence  the  best  test 
to  use  whenever  practicable. 

During  each  test  there  is  no  verification  of  intermedi- 
ate values,  just  a  check  of  the  final  output  for  correct- 
ness. Thus  there  is  a  possibility  for  undetected,  self- 
cancelling  double  errors  that  these  tests  are  not  designed 
to  detect.  Many  such  errors  will  be  detected  if  they  occur 
in  different  functional  units  of  the  DES,  but  the  user  of 
these  tests  should  be  alert  to  the  possibility,  however  re- 
mote, that  such  errors  might  not  be  detected. 
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5.   Appendix  A:  The  DES  Algorithm  Specification 


For  the  convenience  of  the  reader,  this  appendix  con- 
tains a  complete  specification  of  the  parameters  involved  in 
the  definition  of  the  DES  algorithm. 

The  DES  acts  on  a  64  bit  block  of  plaintext,  which  is 
first  permuted  by  IP: 


IP 


58  50  42  34  26  18  10  2 

60  52  44  36  28  20  12  4 

62  54  46  38  30  22  14  6 
64  56  48  40  32  24  16  8 
57  49  41  33  25  17  9  1 

59  51  43  35  27  19  11  3 

61  53  45  37  29  21  13  5 

63  55  47  39  31  23  15  7 


(e.  g.,  bit  one  of  the  output  is  bit 
two  is  bit  50,  etc.) 


58  of  the  input  and  bit 


The  result  is  separated  into  two  32  bit  registers,  L  and  R, 
and  then  passed  through  the  sixteen  rounds.  The  final  64  bit 
result  is  operated  on  by  the  inverse  of  IP,  IP~  : 


IP 


-1 


40  8  48  16  56  24  64  32 
39  7  47  15  55  23  63  31 
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The  round  keys  K   are  determined  by  the  key  schedule.   There 
are  three  parameters  to  be  specified,  PCI,  PC2  and  the  shift 
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schedule: 
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PC  2 


14 

17 

11 

24 

1 

5 

3 

28 

15 

6 

21 

10 

23 

19 

12 

4 

2  6 

8 

16 

7 

27 

20 

13 

2 

41 

52 

31 

37 

47 

55 

30 

40 

51 

45 

33 

48 

44 

49 

39 

56 

34 

53 

4  6 

4  2, 

50 

36 

29 

32 

and  the  shift  schedule  is: 
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Iteration 
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For  a  single  round  the  expansion  operator  E  and  the  permuta- 
tion P  need  to  be  specified: 
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There    remain   only   the    S-boxes: 
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The  reader  is  referred 
cation  of  these  parameters. 


to  [3]  for  the  official  specifi- 
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6.   Appendix  B:  The  Gram-Schmidt  Algorithm 


Given  an  arbitrary  set  ^,,  ^2,  ^^, 
will 


kn'  k,,...  of  n-dimensional 
vectors,  we  will  constructs  maximal  linearly-independent 
subset  of  vectors  using  the  Gram-Schmidt  process.  The  method 
is  to  assume  that  the  vectors  k.  are  linearly  independent 
and  to  use  the  Gram-Schmidt  process  to  construct  an  orthogo- 
nal set  as  follows.  We  will  use  the  notation  <xl  for  a  row 
vector  and  I x>  for  a  column  vector,  <xly>  for  inner  product 
and  |x|  for  the  norm  of  a  vector.   Let 


=  k 


2  =  k2  -  <u1 | k2>/l Uj |  ul 


u~  = 


u-,  = 


k3  -  <u1  |  k3>/|  u1  |   Uj^ 


-  <u2ik3>/iu2r  u2 


etc . 


If  at  any  stage  in  this  process 
then   omit   k.   and 


u^  is  equal  to  zero 
continue.  This  process  will  construct  a 
linearly  independent  subset  of  the  original  set,  which  may 
not  necessarily  be  maximal,  but  if  the  original  set  is  suf- 
ficiently large  the  process  will  terminate  after  n  vectors 
have  been  selected,  and  the  subset  is  thus  maximal. 


The  required  theorem  is  as  follows. 


Theorem. 
j<i. 


=  0  if  and  only  if  k.  is  dependent  on  the  k.  for 


Proof.  Suppose  u.  =  0,  then  k. 
for   j<i.   Since   each   u^  is  a 


is  a  linear  combination  of  u- 

linear  combination  of  k,  for 

Kj,  we  have  that  k^  is  a^linear  combination  of  k^  for  j<i. 


we  

Conversely,  if  k.  depends  on  the  k.  for   j<if   then   k. 
the  u.  for  j<i.  Hence  each  <u-|k.>  is  the 


also   depends 
coefficient  of 
Thus   the   sum 


on 
u. 


in  theJexpansion  of  k.  in  the  vectors   u  •  . 
the  terms  subtracted  from  k.  in  the  Gram- 
Schmidt  process  actually  equals  k. ,  so  u.  =  0. 
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In  this  form  the  Gram-Schmidt  test  is  used  to  ensure 
that  sufficiently  many  pseudo-random  vectors  have  been 
presented  to  each  linear  element  of  the  DES  to  guarantee 
complete  testing.  Appendix  C  addresses  the  question  of  how 
many  random  vectors  must  be  examined  on  the  average  in  order 
to  ensure  that  we  have  a  maximal  linearly  independent  set. 
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7.   Appendix  C:  Pseudo-random  Testing  of  Linear  Devices 


A  Markov-chain  model  is  used  to  compute  the  mean  and 
standard  deviation  of  the  number  of  pseudo-random  input  vec- 
tors that  must  be  presented  to  a  linear  device  to  ensure 
that  a  basis  has  been  presented  to  the  device,  thus  testing 
it  completely. 
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Theorem  1.  For  the  Markov  chain  described  above,  the  transi- 
tion probability  state  i  to  state  i  is 


1/2 


(k-i) . 


Proof.  Let  N(i)  denote  the  number  of  vectors  not  in  the 
linearly  independent  set  and  not  zero,  but  in  the  span  of 
the  set.  It  suffices  to  show  that  N(i)  =  21  -  i  -  1.  It's 
immediate  that 


N(i)  =  1  + 


j  =  2, 


i-D  0, 


where  ()  denotes  the 
en  j  at  a  time,  and 
The  inductive  step 
1.2.6DO)  ]  . 


number  of  combinations  of  i  things  tak- 

the  argument  follows  by  induction  on  i. 

uses    the    additive    formula    [10; 


In  the  next  theorem  we  compute  the   mean   number   of 
transitions  for  this  Markov  chain   to  be  absorbed. 

Theorem  2.  The  expected  number  of  transitions  to   absorption 
for  the  above  Markov  chain  is,  for  k>l, 

E.=  S.+  [l/(2k  -  1)]  +  1, 
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where  Sk  =  SUM(i=l,  k-l)[  21  /(21  -  1)]. 
Proof.  By  induction  on  k.   For  the  case  k=2,  we  have 

4/3       2 


(I-Q)"1 


0       2, 


so,  assuming  a  start  with  a  non-zero  element,  the  expected 
number  of  transitions  to  absorption  S.  is  the  sum  of  the 
last  row  of  the  fundamental  matrix,  or  Z.  The  inductive 
step  follows  from  the  definition  of  the  Markov  chain.  Now 
E.  is  equal  to  one  for  the  first  state  plus  the  probability 
or  starting  without  a  non-zero  element  times  the  mean  number 
of  transitions  to  absorption  given  a  start  without  a  non- 
zero element  plus  the  probability  of  starting  with  a  non- 
zero element  times  the  mean  number  of  transitions  given  a 
start  with  a  non-zero  element,  or 

Ek  =  Sk  +  [l/(2k  -1)]  +  1, 

where  all  the  states  except  the  first  are  lumped  to  give  a 
two  state  Markov  chain  with  transition  matrix 

1        0 
1-1/2K   l/2k 

with  Q  =  1  -  l/2k,  so  the  fundamental  matrix  is  2k/(2k-l). 
This  is  precisely  the  mean  number  of  transitions  required  to 
get  out  of  the  zero  state. 

We  now  derive  an  asymptotic  estimate   to   the   above 
formula. 

Theorem  4.  The  average  number  of  vectors  that  must  be   exam- 
ined to  obtain  a  basis  is  asymptotically  log  n  +  c  +  0(l/n), 
where  k  is  the  number  of  non-zero  vectors  required  to  define 
the  system,  n  =  2   and  c  is  a  constant. 
Proof.   Rewrite  S,  as 

Sk  =  SUM(i=l,  k-l){l/[l-  (1/21)]}, 

to  see  that,  apart  from  the  first  few  terms,  each  new  term 
just  adds  one  as  k  increases,  so  asymptotically,  for  some 
constant  c,  we  have  Sk=c+k,  and  we  see  that  the  asymptotic 
value  =  log  n  +  c  +  0(l/n).  The  value  of  c  is  given  in 
[11; 5. 2. 3 (19) ] ,  the  computation  being  attributed  to  J.  W. 
Wrench,  as  approximately  1.606. 
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Hence  if  the  dimension  of  the  systen  is  k,  we  need  to 
look  at  k+2  random  vectors  on  the  average  to  obtain  a  maxi- 
mal linearly  independent  sot. 

We  now  compute  the  standard  deviation,  realizing  that 
the  difference  between  the  average  and  the  minimum  value  of 
the  parameter  is  just  1.606,  so  the  standard  deviation  must 
be  smaller  than  this.  Reference  to  [7;  theorem  3.3.5]  shows 
that  the  standard  deviation  is  approximately  1.414  for  all 
values  of  k,  as  expected.  Thus  the  distribution  has  a  very 
small  variance  and  we  expect  to  examine  about  k+3  or  k+4 
vectors  to  obtain  a  k-dimensional  basis  in  a  set  of  k- 
dimensional  random  vectors,  provided  the  dimension  k  is  suf- 
ficiently large. 
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